How does GDPR affect your business?
On 25th May 2018 the EU’s General Data Protection Regulation will come into force (GDPR), it will affect any company that handles personally identifiable information (PII) of EU citizens. So if your business has an EU customer or employee, this will apply to you, even if your business resides outside of the EU.
Many business are still unaware of the impact this may have on their organisation, with less than six months to go, your organisation could be facing huge fines. Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
At SupPortal UK we can offer a range of consultancy packages to help your organisation comply with these new regulations. We attained and have been audited to the IASME Gold standard which is effectively ISO27001 for small business. We are also a certificating body for the government backed scheme Cyber Essentials.
What the ICO have to say
Being the type of organisation they are, and the subject matter, jargon free plain English is not top of the list. Below is a sample of what to expect from the ICO website. This is not going to mean a lot to most people so at SupPortal we hope to cut through this jargon and tell you in plain english how GDPR affects your business.
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).